During first start of the worm the worm checks for existing worm Mutex (its own filename) to avoid double infections on one machine.

Exploiting Technologies:

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created TFTP Server-Connection using "%Temp%\{ random number }.bat" TFTP-Commands file). The worm creates its own task for this purpose.

The worm executes TFTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "%Windir%\a{ random number }.exe" from the connecting system, and starts this file after downloading. The worm lists all exploited IP addresses in the worm's IRC channel.

Process Termination:

The worm tries to terminate the following processes (if they are running):